Closed Bug 1385428 Opened 2 years ago Closed 2 years ago

Assertion failure: tt == TOK_FUNCTION, at js/src/frontend/Parser.cpp:2584 with OOM and asm.js

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox-esr52 --- wontfix
firefox54 --- wontfix
firefox55 --- wontfix
firefox56 --- fixed

People

(Reporter: decoder, Assigned: anba)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, jsbugmon, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 5845151f1a2c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager):

loadFile(`
try {
  Array.prototype.splice.call({ get length() {
    "use asm"
    function f() {}
    return f;
} });
} catch (e) {
  assertEq(e, s2, "wrong error thrown: " + e);
}
`);
function loadFile(lfVarx) {
    try {
        oomTest(new Function(lfVarx));
    } catch (lfVare) {}
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x00000000004b7200 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction (this=this@entry=0x7fffffff9d30, fun=..., fun@entry=..., enclosingScope=..., enclosingScope@entry=..., parameterListEnd=..., generatorKind=generatorKind@entry=js::NotGenerator, asyncKind=asyncKind@entry=js::SyncFunction, inheritedDirectives=..., newDirectives=0x7fffffff9410) at js/src/frontend/Parser.cpp:2584
#0  0x00000000004b7200 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction (this=this@entry=0x7fffffff9d30, fun=..., fun@entry=..., enclosingScope=..., enclosingScope@entry=..., parameterListEnd=..., generatorKind=generatorKind@entry=js::NotGenerator, asyncKind=asyncKind@entry=js::SyncFunction, inheritedDirectives=..., newDirectives=0x7fffffff9410) at js/src/frontend/Parser.cpp:2584
#1  0x0000000000ab9762 in BytecodeCompiler::compileStandaloneFunction (this=this@entry=0x7fffffff9780, fun=fun@entry=..., generatorKind=generatorKind@entry=js::NotGenerator, asyncKind=asyncKind@entry=js::SyncFunction, parameterListEnd=...) at js/src/frontend/BytecodeCompiler.cpp:478
#2  0x0000000000ab9a5b in js::frontend::CompileStandaloneFunction (cx=cx@entry=0x7ffff6924000, fun=fun@entry=..., options=..., srcBuf=..., parameterListEnd=..., enclosingScope=..., enclosingScope@entry=...) at js/src/frontend/BytecodeCompiler.cpp:731
#3  0x0000000000d13e75 in HandleInstantiationFailure (metadata=..., args=..., cx=0x7ffff6924000) at js/src/wasm/AsmJS.cpp:8149
#4  InstantiateAsmJS (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/wasm/AsmJS.cpp:8181
#5  0x000000000054757b in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0xd11750 <InstantiateAsmJS(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#6  0x000000000053c60b in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:469
#7  0x000000000053c9d8 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:514
#8  0x000000000053cb0d in js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:533
#9  0x000000000053ccac in js::CallGetter (cx=cx@entry=0x7ffff6924000, thisv=thisv@entry=..., getter=getter@entry=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:648
#10 0x0000000000ba7581 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0x7ffff6924000) at js/src/vm/NativeObject.cpp:2064
#11 GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff6924000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:2112
#12 0x0000000000ba8327 in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff6924000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2343
#13 0x0000000000ba8b30 in js::NativeGetProperty (cx=cx@entry=0x7ffff6924000, obj=..., obj@entry=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2377
#14 0x00000000004f7cd5 in js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6924000) at js/src/vm/NativeObject.h:1536
#15 js::GetProperty (vp=..., name=0x7ffff46261a0, receiver=..., obj=..., cx=0x7ffff6924000) at js/src/jsobj.h:836
#16 js::GetProperty (vp=..., name=0x7ffff46261a0, receiver=..., obj=..., cx=0x7ffff6924000) at js/src/jsobj.h:852
#17 GetLengthProperty (cx=cx@entry=0x7ffff6924000, obj=..., obj@entry=..., lengthp=lengthp@entry=0x7fffffffac70) at js/src/jsarray.cpp:206
#18 0x0000000000503800 in array_splice_impl (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>, returnValueIsUsed=<optimized out>) at js/src/jsarray.cpp:2804
#19 0x000000000054757b in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0x504810 <js::array_splice(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#20 0x000000000053c60b in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:469
#21 0x000000000053c9d8 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:514
#22 0x000000000053cb0d in js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:533
#23 0x00000000009c4deb in js::fun_call (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1247
#24 0x00003eb585b24843 in ?? ()
#25 0x00007fffffffb0d8 in ?? ()
#26 0x00007fffffffb028 in ?? ()
#27 0x00007ffff47006c0 in ?? ()
#28 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffff9d30	140737488330032
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffff93d0	140737488327632
rsp	0x7fffffff9140	140737488326976
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffff9d48	140737488330056
r13	0x7fffffff918c	140737488327052
r14	0x0	0
r15	0x7fffffffa520	140737488332064
rip	0x4b7200 <js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction(JS::Handle<JSFunction*>, JS::Handle<js::Scope*>, mozilla::Maybe<unsigned int> const&, js::GeneratorKind, js::FunctionAsyncKind, js::frontend::Directives, js::frontend::Directives*)+1184>
=> 0x4b7200 <js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction(JS::Handle<JSFunction*>, JS::Handle<js::Scope*>, mozilla::Maybe<unsigned int> const&, js::GeneratorKind, js::FunctionAsyncKind, js::frontend::Directives, js::frontend::Directives*)+1184>:	movl   $0x0,0x0
   0x4b720b <js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction(JS::Handle<JSFunction*>, JS::Handle<js::Scope*>, mozilla::Maybe<unsigned int> const&, js::GeneratorKind, js::FunctionAsyncKind, js::frontend::Directives, js::frontend::Directives*)+1195>:	ud2
Attached patch bug1385428.patchSplinter Review
We tried to re-parse the getter method as a standalone function (|tt| was TOK_GET here [1]). But getter (and setter) methods shouldn't be accepted as asm.js functions in the first place, similar to how normal methods are already rejected in EstablishPreconditions().

[1] http://searchfox.org/mozilla-central/rev/09c065976fd4f18d4ad764d7cb4bbc684bf56714/js/src/frontend/Parser.cpp#2584
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Attachment #8891619 - Flags: review?(luke)
Comment on attachment 8891619 [details] [diff] [review]
bug1385428.patch

Review of attachment 8891619 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8891619 - Flags: review?(luke) → review+
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/bf040a16d3ed
Disable asm.js compilation in accessor methods. r=luke
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/bf040a16d3ed
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.